Determining a combined compliance assessment metric

ABSTRACT

According to some implementations, compliance assessment metrics in a subset of two or more compliance assessment metrics are combined to form a combined compliance assessment metric. Each compliance assessment metric in the subset reflects a level of compliance of a set of rules with a different type of data privacy and/or data security laws, regulations, and/or policy. The set of rules are to manage personal data in an organization instance of a customer of a cloud-based software provider capable of hosting the organization instance in one or more datacenters in a plurality of different geographic regions. An ability to move data from the organization instance from a first geographic region to a second geographic region is gated based on the combined compliance assessment metric. In addition, the combined compliance assessment metric is displayed as part of a data policy compliance service provided by the cloud-based software provider.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. Application No. 17/163,307,filed Jan. 29, 2021, which claims the benefit of U.S. ProvisionalApplication No. 63/120,721, filed Dec. 2, 2020, and U.S. ProvisionalApplication No. 63/120,201, filed Dec. 1, 2020, which are herebyincorporated by reference.

TECHNICAL FIELD

One or more implementations relate to the field of data privacy and/ordata security; and more specifically, to compliance with data privacyand/or data security policies.

BACKGROUND ART

Companies collect, share, analyze, and store their business data, andmust do so in compliance with complex regional and industry-specificregulations. Companies must vigilantly monitor data privacy and/or datasecurity enforcement trends, laws, and regulations to mitigate risks andpotential liability. For instance, sensitive data is information thatrequires protection against unwarranted disclosure. Protection ofsensitive data may be required for legal or ethical reasons, for issuespertaining to personal privacy, and/or for proprietary considerations.Broadly speaking, the term “personal data” is any information relatingto an identified or identifiable person. Personal data can include aperson’s name, a person’s contact information (e.g., a mailing address,email address, and/or telephone number), a person’s user identifier(referred herein as UserID) assigned by an application/service, an IPaddress associated with a device used by the person to access theapplication/service, or any other information that is related to theperson which can be obtained or used by an application/service. In somecases, a distinction can be made between personal data, which uniquelyidentifies a user (e.g., a person’s name) or renders the useridentifiable (e.g., a user identifier), and user traceable data. Usertraceable data is data that is not directly personal data (i.e., doesnot directly identify the user or make the user identifiable) but can betraced back to the identity or an activity of the user (e.g., an IPaddress of a device used by the user, a user’s mailing address if theuser is not the only person living at that address, etc.).

Cloud services are hosted and perform their processing in datacenter(s).These datacenter(s) may be: 1) first party datacenter(s), which aredatacenter(s) owned and/or operated by the same entity that providesand/or operates some or all of the software that provides theservice(s); and/or 2) third-party datacenter(s), which are datacenter(s)owned and/or operated by one or more different entities than the entitythat provides the service(s) (e.g., the different entities may host someor all of the software provided and/or operated by the entity thatprovides the service(s)). For example, third-party datacenters may beowned and/or operated by entities providing public cloud services (e.g.,Amazon.com, Inc. (Amazon Web Services), Google LLC (Google CloudPlatform), Microsoft Corporation (Azure), Alibaba Group (AlibabaCloud)). Operators of third-party datacenters provideinfrastructure-as-a-Service (IAAS or IaaS) (e.g., virtual machines,servers, and/or storage).

The “hardware layer” of public cloud services includes the hardware(e.g., to provide compute, storage) and software to provide third partydatacenter services for different regions, zones, and/or edge locations.The third-party datacenter provider is responsible for the security(sometime referred to as security of the cloud) of this hardware layer.The “customer data layer” is a layer above the hardware layer andrepresents what the third-party datacenter provider’s customers areresponsible for in terms of security (sometime referred to as securityin the cloud). This customer data layer includes the customer data, aswell as one or more of: 1) platform, applications, identity, and accessmanagement; 2) operating system, network, and firewall configurations;3) client-side data encryption and data integrity authentication; 4)server-side encryption (file system and/or data); and 5) networkingtraffic protection (encryption, integrity, and identity).

BRIEF DESCRIPTION OF THE DRAWINGS

The following figures use like reference numbers to refer to likeelements. Although the following figures depict various exampleimplementations, alternative implementations are within the spirit andscope of the appended claims. In the drawings:

FIG. 1A is the top part of a dashboard of a data policy complianceservice of a cloud-based software provider according to someimplementations.

FIG. 1B is the bottom part of a dashboard of a data policy complianceservice of a cloud-based software provider according to someimplementations.

FIG. 1C is the top part of an updated dashboard of a data policycompliance service of a cloud-based software provider according to someimplementations.

FIG. 1D is the bottom part of the updated dashboard of a data policycompliance service of a cloud-based software provider according to someimplementations.

FIG. 1E is part of a dashboard of a data policy compliance service of acloud-based software provider according to some implementations.

FIG. 1F is part of a dashboard of a data policy compliance service of acloud-based software provider according to some implementations.

FIG. 1G is a block diagram illustrating components according to someimplementations.

FIG. 1H is a block diagram illustrating components according to someimplementations.

FIG. 2A is a flow diagram illustrating the updating of a dashboard of adata policy compliance service of a cloud-based software provideraccording to some implementations.

FIG. 2B is a flow diagram for generating compliance assessment metricsAccording to Some Implementations.

FIG. 3A is a block diagram illustrating an electronic device 300according to some example implementations.

FIG. 3B is a block diagram of a deployment environment according to someexample implementations.

DETAILED DESCRIPTION

The following description describes implementations for a framework toallow customers of a cloud-based software provider to discover theapplicable data polices and set up their organization instance(s) incompliance those policies (e.g., regional and/or industry-specific dataprivacy and/or data security enforcement trends, laws, and regulations).Some implementations help companies monitor their organization instancecompliance in their current region. Some implementations help companiesmigrate their organization instance(s) to other regions safely andsecurely. An organization instance is information (e.g., data, metadata,configuration, applications, code, etc.) hosted within a cloud-basedsoftware provider service. As such, a company may have one or moreorganization instances with a given cloud-based software provider. Acloud-based software provider’s service can enable a customer tocollect, process, and store user data as part of one or more of thatcustomer’s organization instances.

Typically, datacenters are available in different geographic regions.For instance, a third-party datacenter operator often has datacenters indifferent geographic regions and allows each of its customers to selecta set of one or more of these geographic regions to host its data and/orprocessing. Third-party datacenter operators also often offer tools thata customer of the datacenter can select from in order to comply withdata privacy and/or data security policies in the region which eachdatacenter is located. As such, a customer of a third-party datacentermust understand how its data is categorized relative to data privacyand/or security, and then select the right third-party datacentertool(s) for that data to comply with that customers view on data privacyand/or data security.

A cloud-based software provider providing cloud services (e.g.,Software-as-a-Service (SaaS); Data-as-a-Service (DAAS or DaaS);Platform-as-a-service (PAAS or PaaS); etc.) to its customers may usefirst party datacenters and/or third-party datacenters. For instance, athird-party datacenter operator may have a cloud-based software provideras a customer, and the cloud-based software provider may have one ormore customers (and in fact, the each of the cloud servicers provider’scustomers may have a service and/or product they provide to customers oftheir own). Regardless, a cloud-based software provider usingdatacenters (be they first-party and/or third-party) in differentregions means that as a result the cloud-based software provider’scustomers are having their data hosted and processed in one or morethose different regions. For instance, when a cloud-based softwareprovider is using one or more third party datacenters, then as a resultthe customers of the cloud-based software provider are using the one ormore third party datacenters.

In some implementations, a cloud-based software provider provides aservice that allows the cloud-based software provider’s customers tochoose the geographic region(s) in which their data will be hostedand/or processed. Thus, a customer of the cloud-based software providermay choose a set of one or more of the geographic region(s) having anavailable datacenter(s) (first-party and/or third-party relative to thecloud-based software provider) to host that customer’s data residing inthe cloud-based software provider’s service. Put another way, thecloud-based software provider provides a service (which may be referredto as a data policy compliance service, a data compliance service, ageographic region service, a selection service, etc.) to its customersthat allows those customers to choose the geographic regions in whichthe available datacenter(s) hosting and processing their data arelocated. Furthermore, some implementations include, as part of this datapolicy compliance service, one or more compliance assessment metricsreflecting the level of compliance with data privacy and/or datasecurity policies in the geographic regions of the availabledatacenters. These compliance assessment metric(s) allow the cloud-basedsoftware provider’s customers to be prepared and understand theirorganization health for any region they are currently in (referred to asthe current region(s), hosted region(s), host region(s), organizationregion(s)) and/or interested in moving into (referred to as the targetregion(s)).

In addition to geographic regions, data privacy and/or data securitylaws, regulations, and/or policy can vary by industry (e.g., theinsurance industry, the banking industry, the oil industry, etc.) and/orby company (e.g., one companies view of the laws/regulation may bedifferent from another’s, one companies risk assessment relative tocompliance may be different than another’s). In some implementations,the above compliance assessment metrics are based on: 1) the laws and/orregulations of the geographic region in which a datacenter is located(also referred to as geographic region policies, region-level policies,country-level policies); 2) the laws, regulations, and/or policypertaining to an industry (also referred to industry policies, industrystandards, industry data standards, industry specific regulations,industry-level policies); 3) a given company’s policies (sometimesreferred to as corporate policies, company-level policies,corporate-level policies); or 4) any combination thereof. Thus, thecompliance assessment metrics allow the cloud-based software provider’scustomers to be prepared and understand their organization health forany region and industry they are currently in and/or interested inmoving into. Thus, some implementations support 2 types of complianceassessment metrics: 1) a first type of which each is specific one typeof policy (e.g., region, industry, company); and 2) a second type thatrepresents a combination of two or more of the first types.

Thus, in the case of target region(s), the compliance assessmentmetric(s) provide a tool to: 1) guide a customer to a more compliantposture; and/or 2) a gating mechanism for migration from one region toanother. Thus, it is a tool to help the cloud-based software provider’scustomers see how ready their products/services are for being hostedand/or processed in different regions (which can be an indicator ofand/or the equivalent of seeing how ready a product and/or service isfor being offered in different regions). This can help prioritize whichregion(s) a product and/or service should be rolled out. Additionally oralternatively, this may allow help the cloud-based software provider’scustomers determine the level of effort required to host data closer totheir customers to improve performance.

Also, some implementations provide recommended actions to improvecompliance with data privacy and/or data security in any current and/ornew region. Thus, in the case of target region(s), these recommendationsprovide a tool to help the cloud-based software provider’s customers gettheir products/services ready for being hosted and/or processed in atarget region (which can be an indicator of and/or the equivalent ofseeing how ready a product and/or service is for being offered a targetregion).

Implementations may also show: a) the region requirements (local laws,compliance, etc); b) what kind of annualized contract value (ACV)potential there is in a region by opportunity; c) prioritized lists tomake a product and/or service available in a particular region; d)initiate processes to get product and/or services teams to put theirproduct and/or services into a region; or e) any combination thereof.

According to some implementations, the compliance assessment metrics arebased on: 1) a hierarchy of types policies; and/or 2) the region(s) ofdifferent types of activities. In terms of a hierarchy of typespolicies, some implementations consider geographic regions policies,followed by industry policies, followed by a company’s policies whengenerating the compliance assessment metrics. In terms of the region(s)of different types of activities, some implementations consider thegeographic region in which: a) data is collected (also referred to asdata collection); b) data is hosted (also referred to as data hosting);c) data is processed (also referred to as data processing); or d) anycombination thereof.

Following are some examples of policies and types of activities. Exampleof geographic region data policies (also referred to as region-levelpolicies) include New York’s Stop Hacks and Improve Electronic DataSecurity (SHIELD) Act, California’s California Consumer Privacy Act of2018 (CCPA), and the European Union’s General Data Protection Regulation(GDPR). The term “data sovereignty” or “data residency” is sometimesused to refer to requirements that records about a nation’s citizens orresidents follow its personal or financial data processing laws, while“data localization” goes a step further in requiring that initialcollection, processing, and storage first occur within the nationalboundaries. In some cases, data about a nation’s citizens or residentsmust also be deleted from foreign systems before being removed fromsystems in the data subject’s nation. Thus, another example is where aregion is a country, and data sovereignty/data residency and datalocalization requirements are examples of geographic region datapolicies (also referred to as a country-level data policies). In the US,the Health Insurance Portability and Accountability Act (HIPAA) may beconsidered an industry policy. As another example, assume a cloud-basedsoftware provider’s customer (referred to as the first customer) is acompany that provides a service (e.g., insurance quotes) in a firstcountry, and the company’s customers (referred to as second customers)are people in that first country which access the company’s service andenter/create data (in other words, data is collected in the firstcountry). Also, assume that the company has configured the cloud-basedsoftware provider’s service to send the collected data to an engine in asecond country that processes the data (i.e., data processing) toproduce a result (e.g., an insurance quote). Finally, assume that thecompany has configured the cloud-based software provider’s service tosend the result back to a datacenter in the first country to be stored(i.e., data hosting). In this case, some implementations may generatethe compliance metrics for this example by considering the applicablegeographic region policies to be that of the region in which the datahosting is performed (i.e., the first country), the industry policy tobe that of the insurance industry, and the company policies to be thatof the company. Additionally or alternatively, some implementations mayconsider the region of the data collection and/or the data processing aspart of the compliance metric determination. Additionally oralternatively, some implementations may consider whether the requisiteconsent for the end users (the second customers) has been obtained tohost and/or process the data in any particular region (e.g., the firstcountry, the second country, or another region).

Some implementations provide as the set of one or more compliancemetrics: a) a metric for each of the types of policies; b) a metricrepresenting the combination of policies.

As indicated above, a cloud-based software provider may be operated by afirst entity and provide one or more services to its customers. Acompany can establish one or more organization instance(s) with thecloud-based software provider, where each organization instance caninclude a group of users who share a common access with specificprivileges. As such, different organization instances may be differententities (e.g., different companies, different departments/divisions ofa company, and/or other types of entities), and some or all of theseentities may be vendors that sell or otherwise provide products and/orservices to their customers. Each organization instance may allow formanagement, organization instance-specific functionality, configuration,customizations, non-functional properties, associated applications, etc.In the case of a company creating multiple organization instances, notonly is the company a cloud-based software provider customer, but eachgroup of users operating their organization instance is also acloud-based software provider customer.

Compliance Assessment Metrics for Region(s) According to SomeImplementations

FIG. 1A is the top part of a dashboard of a data policy complianceservice of a cloud-based software provider according to someimplementations. The dashboard is of a data policy compliance service,where the dashboard identifies a first geographic region 170 in whichthere is a datacenter hosting an organization instance of a customer ofa cloud-based software provider. Also, in some implementations, thefirst geographic region 170 is one of a plurality of geographic regionsand the dashboard also includes an indication of each of the pluralityof geographic regions (e.g., second geographic region 171). In someimplementations, the plurality of geographic regions includes thegeographic regions in which there is a datacenter in which thecloud-based software provider may host organization instances.Additionally or alternatively, the dashboard includes a set of one ormore compliance assessment metrics (see FIG. 1B) reflecting howcompliant the organization instance is with a set of one or more policytypes based on the organization instance being hosted in the firstregion.

More specifically, FIG. 1A includes a global menu bar along the top thatshows the cloud-based software provider’s customer is Acme and selectionof the “Home” tab 172. Below this is a tile 173 with a menu bar with the“Org Distribution” tab 174 selected. Within this tile and below thetile’s menu bar is a map including multiple geographic regions, adrop-down menu currently showing “All Orgs” is selected, and a legend.Since “All Orgs” is selected, the legend indicates that the customer has43 “Total Orgs” in 3 “Total Regions.” Thus, the legend indicates thatthe customer Acme has 43 organization instances with the cloud-basedsoftware provider, and each of these 43 organization instances are inone of 3 geographic regions. The 3 geographic regions are the currentregions, and their locations are shown on the map with an icon in 3different places (geographic regions 170, 175, 176). Thus, each of theseregions represents a geographic region with one or more datacenters thatare currently hosting an organization instance. Additionally oralternatively, a different icon may be shown on the map to indicate eachregion (e.g., geographic region 171) in which there is at least onedatacenter (e.g., those to which the cloud-based software provider hasthe ability to host an organization instance). Thus, in someimplementations these reflect “available regions for migration” of anexisting organization instance and/or available regions for a neworganization instance.

FIG. 1B is the bottom part of a dashboard of a data policy complianceservice of a cloud-based software provider according to someimplementations. This includes a second tile 177 titled “ComplianceAssessment Metric.” This tile shows 2 types of compliance assessmentmetrics: 1) a first type 178 for which there is a separate complianceassessment metric for each of the policy types; and 2) a second type 179that represents a combination of two or more of the first types. In FIG.1B, the policy types include country-level/region -level data policies,industry-level data policies, and company-level data policies, and eachof these policy types has a separate compliance assessment metric. Inthe specific examples of FIG. 1B, each shows 100% compliance via asolid-colored ring, a 100%, and the word “Compliant.” FIG. 1B also showsthe second type 179 of compliance assessment metric which reflects amanner of combing all three of the first type 178. This second type 179of compliance assessment metric has 3 tiers representing differentlevels of compliance (e.g., not compliant, proceed with caution, andready to go). In the specific example of FIG. 1B, this is shown as ahorizontal bar with 3 separate areas (180A, 180B, and 180C) for the 3tiers, as well as a circle 181 in one of the 3 areas indicating how thecustomer is currently scoring. One or more of these complianceassessment metrics may change based on changes to any of the policiesand/or changes to the rules the customer has enabled to govern personaldata.

Responsive to this dashboard, a user may take a variety of actions,including: 1) consider migrating a given organization instance from acurrent region to a different region (also referred to as a targetregion); 2) consider trying to improve a compliance assessment metric(if the customer was not at 100% already); 3) consider what regions areavailable to host a new organization instance; etc. FIGS. 1C-Fillustrate the flow according to this first action. More specifically,responsive to user input that selects the “Explore Regions” tab (182 inFIGS. 1A and 1C), the content of the dashboard is updated to includeinformation regarding the plurality of geographic regions. In someimplementations, this includes an indication of the tier to which theorganization instance would belong if the organization instance wasmoved from the first geographic region to one or more other geographicregions in the plurality of geographic regions. Responsive to furtheruser interaction (e.g., selection of one of the current geographicregions, such as 170, and one of the other geographic regions, such as171), the dashboard is updated to reflect information regarding apossible migration of the organization instance from the firstgeographic region to a second geographic region of the plurality ofgeographic regions as reflected in FIGS. 1C-D.

FIG. 1C is the top part of an updated dashboard of a data policycompliance service of a cloud-based software provider according to someimplementations. FIG. 1C is similar to FIG. 1A, so the differences willbe discussed. In FIG. 1C, the icons that reflect the “available regionsfor migration” are replaced with icons that the tier (see abovedescription regarding tiers) to which the organization instance wouldbelong if the organization instance was moved from the first geographicregion to one or more other geographic regions in the plurality ofgeographic regions. In addition, FIG. 1C is responsive to user inputhaving selected a second region (Brazil) 171 and has a pop-up 183including information regarding the region. In addition, the pop-upincludes a “Select This Region” button 184.

FIG. 1D is the bottom part of the updated dashboard of a data policycompliance service of a cloud-based software provider according to someimplementations. FIG. 1D is similar to FIG. 1B, so the differences willbe discussed. Namely, the second tile titled “Compliance AssessmentMetric” has been updated to reflect the same type of information, butfor the target geographic region rather than the current geographicregion. In the specific examples of FIG. 1D, the metrics for the firsttwo policy types indicate 100% compliance, while the metric for thethird indicates 63% compliance and “Proceed with Caution” (while theimage illustrates “Proceed with Caution” because some implementationsuse the same three tiers described above, some implementations displayeither “compliant” or “non-compliant” (i.e., a binary outcome) for thefirst type of compliance assessment metrics). FIG. 1B also shows thesecond type of compliance assessment metric which reflects a manner ofcombing all three of the first type. This second type of complianceassessment metric has the circle in the “Proceed with Caution” tier.Thus, the dashboard includes a set of one or more compliance assessmentmetrics reflecting how compliant the organization instance would be witha set of one or more policy types based on the organization instancebeing hosted in the second geographic region.

Responsive to user interaction (e.g., selection of the “Select thisRegion” button 184), the dashboard is updated to a set of acts to beperformed before migrating the organization instance to the secondgeographic region as reflected in FIGS. 1E-F.

FIG. 1E is part of a dashboard of a data policy compliance service of acloud-based software provider according to some implementations. FIG. 1Eshows a set of acts 185 to be performed before migrating theorganization instance to the second geographic region. In someimplementations, the dashboard also includes: 1) an interface element186 (e.g., a “Migrate” button) whose selection causes the migration athe organization instance to the second geographic region; 2) aninterface element 187 (e.g., the “I Accept the Risk” button) that allowsthe user to accept any risk reflected by a less than 100% complianceassessment metric(s); and/or 3) an interface element 188 (e.g., a“Review Policies” button) that allows the user to review the policies totry to improve the compliance assessment metrics. Responsive to userinteraction (e.g., selection of the “Review Policies” button), thedashboard is updated to display information regarding one or more of thedata policies as shown in FIG. 1F.

FIG. 1F is part of a dashboard of a data policy compliance service of acloud-based software provider according to some implementations. FIG. 1Fshows the provision of the ability to navigate through informationregarding one or more of the data policies.

While FIGS. 1A-F illustrate implementations with both the first andsecond type of compliance assessment metrics, as well as three differentpolicy types, other implementations may have more, less, and/ordifferent types of compliance assessment metrics and/or policy types.While FIGS. 1A-F illustrate possible dashboards and interfaces,alternative implementations may rearrange and/or include more, less, ordifferent information and interfaces.

FIG. 2A is a flow diagram illustrating the updating of a dashboard of adata policy compliance service of a cloud-based software provideraccording to some implementations. Block 200 states “cause the displayof a dashboard of a data policy compliance service, wherein the firstdashboard identifies a first geographic region in which there is adatacenter hosting an organization instance of a customer of acloud-based software provider.” Control flows to block 202.

An example of this according to some implementations is shown anddescribed with reference to FIG. 1A. As previously described, FIG. 1Ashows a map with an icon in a geographic region where one or moreorganization instances are currently hosted.

Block 202, which is dashed and thus indicating it is optional, states“wherein the first geographic region is one of a plurality of geographicregions and the dashboard also includes an indication of each of theplurality of geographic regions.” Control flows to block 204 and block224.

An example of this according to some implementations is shown anddescribed with reference to FIG. 1A. As previously described, the map inFIG. 1A also includes other icons in other geographics regions.

While FIG. 2A shows control flowing from block 202 to block 224, inalternative implementations control flows from block 200 to block 224.Regardless, one or both of these paths may be undertaken. The path alongblocks 202-210 represents a user investigating a possible migration ofan organization instance from one region to another. The path alongblock 224 to 216 represents a user investigating ways to improve thecompliance assessment metric(s) for the organization instance in thecurrent region in which it is hosted.

Block 204, which is dashed and thus indicating it is optional, states“wherein the plurality of geographic regions include the geographicregions in which there is a datacenter in which the cloud-based softwareprovider may host organization instances.” Control flows to block 206.

An example of this according to some implementations is shown anddescribed with reference to FIG. 1A. As previously described, FIG. 1Ashows a map with other icons in other geographic regions.

Block 206, which is dashed and thus indicating it is optional, states“responsive to user input, cause the display of the dashboard to includeinformation regarding the plurality of geographic regions.” Controlflows to block 208.

An example of this according to some implementations is shown anddescribed with reference to FIGS. 1A and 1C. As previously described, auser may interact with the dashboard by, for example, selecting the“Explore Regions” tab as show in FIG. 1C.

Block 208, which is dashed and thus indicating it is optional, states“wherein the dashboard includes an indication of the tier to which theorganization instance would belong if the organization instance wasmoved from the first geographic region to one or more other geographicregions in the plurality of geographic regions.” Control flows to block210.

An example of this according to some implementations is shown anddescribed with reference to FIG. 1C. As previously described, a user mayinteract with the dashboard by, for example, selecting an organizationinstance in a current region. In some implementations, the dashboard isupdated to replace the above-described icons with icons that reflect anindication of the tier to which the organization instance would belongif the organization instance was moved from the current geographicregion to one or more other geographic regions.

Block 210 states “responsive to user interaction, cause the display ofthe dashboard to reflect information regarding a possible migration ofthe organization instance from the first geographic region to a secondgeographic region of the plurality of geographic regions wherein theplurality of geographic regions include the geographic regions in whichthere is a datacenter in which the cloud-based software provider mayhost organization instances.” Control flows to block 212 and 220.

An example of this according to some implementations is shown anddescribed with reference to FIG. 1C. As previously described, a user mayinteract with the dashboard by, for example, selecting an iconrepresenting one of the other regions (selecting a target region) toconsider whether to migrate the selected organization instance from thecurrent region to the target region. In some implementations, thedashboard is updated as described above to reflect the possiblemigration (see dashed line) and a popup with information about thetarget region. As also previously described, a user may interact with a“Select This Region” button, in which case the dashboard may be updateda show in FIG. 1E.

Block 212, which is dashed and thus indicating it is optional, states“wherein the dashboard also includes a set of one or more complianceassessment metrics reflecting how compliant the organization instancewould be with a set of one or more policy types based on theorganization instance being hosted in the second region.”

An example of this according to some implementations is shown anddescribed with reference to FIG. 1D. The displayed compliance assessmentmetric(s) may be used by a user to determine whether to click the“Select This Region” button.

Block 220 states “responsive to user interaction, cause the display ofthe dashboard to reflect a set of acts to be performed before migratingthe organization instance to the second geographic region.” Controlflows to blocks 214, 222, and 218.

An example of this according to some implementations is shown anddescribed with reference to FIG. 1E.

Block 214, which is dashed and thus indicating it is optional, states“wherein the dashboard also includes an interface element that allowsthe user to review the policies to try to improve the complianceassessment metric.” Control flows to block 216.

An example of this according to some implementations is shown anddescribed with reference to FIG. 1E. A user may interact with a “ReviewPolicies” button, in which case the dashboard may be updated a shown inFIG. 1F.

Block 216, which is dashed and thus indicating it is optional, states“responsive to user interaction, cause the display information regardingone or more of the data policies.”

An example of this according to some implementations is shown anddescribed with reference to FIG. 1F.

Block 218, which is dashed and thus indicating it is optional, states“wherein the dashboard also includes an interface element that allowsthe user to accept any risk reflected by a less than 100% complianceassessment metric(s).”

An example of this according to some implementations is shown anddescribed with reference to FIG. 1E. A user may interact with a “IAccept the Risk” button. As described below, some implementations willallow selection of this button if the combined compliance assessmentscore falls in a specific tier or tiers. For instance, the “Proceed withCaution” tier.

Block 222, which is dashed and thus indicating it is optional, states“wherein the dashboard also includes an interface element whoseselection causes the migration of the organization instance to thesecond geographic region.”

An example of this according to some implementations is shown anddescribed with reference to FIG. 1E. A user may interact with a“Migrate” button. As described below, some implementations will allowselection of this button if: 1) the combined compliance assessment scorefalls in a first tier (e.g., the “Compliant” tier); or 2) the combinedcompliance assessment score falls in a second tier (e.g., the “Proceedwith Caution” tier) and the user has already indicated that they acceptthe risk (e.g., by selecting the “I Accept the Risk” button).

Block 224, which is dashed and thus indicating it is optional, states“wherein the dashboard also includes a set of one or more complianceassessment metrics reflecting how compliant the organization instance iswith a set of one or more policy types based on the organizationinstance being hosted in the first region.” Control flows to block 216.

An example of this according to some implementations is shown anddescribed with reference to FIG. 1B. As previously described, thedisplayed compliance assessment metric(s) may be used by a user tounderstand the status of compliance relative to all or a selected one oftheir organization instance(s).

While FIG. 2A is described using FIGS. 1A-F as examples, alternativeimplementations may: 1) have more, less, and/or different types ofcompliance assessment metrics and/or policy types; and 2) rearrangeand/or include more, less, or different information and interfaces.Additionally or alternatively, an implementation may require more orless selections by the user, different types of selections (tabs,buttons, links, drop downs, swipes, etc.), and/or different ways ofnavigating to get to the example information on the example dashboardsshown.

FIG. 1G is a block diagram illustrating components according to someimplementations. More specifically, FIG. 1G shows a geographic region102A including one or more organization instances 122, on top of one ormore cloud-based software provider instances 112A.A, on top of one ormore datacenters 113A.A-113A.R. One such organization instance 122 isorganization instance 122A. FIG. 1G also shows the relationship ofcustomers to a cloud-based software provider 132 (as well as possiblerelationships of customers of those customers). In addition, the set ofone or more geographic regions 103A illustrate that different ones ofthese customers may be in the same or different ones of the plurality ofgeographic regions. FIG. 1G shows that the components shown in thegeographic region 102A may be viewed as belonging to one of two layers:a datacenter hardware layer 110 and a datacenter customer layer 120.These layers can refer to the “hardware layer” of public cloud servicesand the “customer data layer” as described above.

More specifically, FIG. 1G shows that the cloud-based software provider132 has customers 130, including potentially a customer 130A and acustomer 130C. The customer 130C does not have any customers of itself,while the customer 130C is shown as having customers 160A-K. Thecloud-based software provider 132 is shown as providing the cloud-basedsoftware providers instance(s) 112A.A with which its customers 130 maycreate organization instances 122.

The cloud-based software providers instance(s) 112A.A may provide a datapolicy compliance service 134 that utilizes policies 128, which mayinclude region policies 128A and optionally industry policies 128B andcompany policies 128C, as described above. The cloud-based softwareproviders instance(s) 112A.A may store the region policies 128A andoptionally the industry policies 128B. In some implementations, theregion policies 128A include not only the policies for the geographicregion 102A, but also of other geographic regions with datacenters towhich a customer may wish to migrate an organization instance and/orcreate a new organization instance. In some implementation, the industrypolicies 128B include policies for many different industries.

The organization instance 122A may include customer data includingpersonal data 126A, rules to manage personal data 124A, and the companypolicies 128C. In some implementations, the personal data 126A includesor is similar to what was previously described as “personal data.” Therules to manage personal data 124 includes or is similar to thepreviously described “the rules the customer has enabled to governpersonal data” or the below described “rule set.” These rules areconfigurable by a customer (e.g., using data privacy and/or datagovernance tools) for the organization instance as is known in the art,such as use of one or more data sensitivity levels (e.g., public,internal, confidential, restricted, mission critical, personal data,user identifiable data, user traceable data, etc.), compliancecategorizations (e.g., Health Insurance Portability and AccountabilityAct (HIPAA), California Consumer Privacy Act (CCPA), General DataProtection Regulation (GDPR), Personal Identifiable Information (PII),Payment Card Industry (PCI) Data Security Standard, Children’s OnlinePrivacy Protection Act (COPPA), etc.), and customer consent forms and/ordata (consent meaning information related to data privacy and/or datasecurity requirements, regulations, and/or laws).

The data policy compliance service 134 may operate on the policies 128relative to the organization instance 122A to cause the provision of thedashboards shown in FIGS. 1A-F according to the flow of FIG. 2A, and/orthe alternative implementations described with reference to thosefigures. For instance, in some implementations the data policycompliance service 134 provides a dashboard that is or similar to thatshown in FIG. 1A. The data policy compliance service 134 includes acompliance assessment metric(s) calculator 150, a migration explorer152, an optional compliance assistor 154, and an optional migrator 156.As should be evident to the reader, the names of these components aredescriptive of the actions those components would perform with regard tothe provision of the data policy compliance service previouslydescribed. For example, the compliance assessment metric(s) calculatormay operate to determine compliance assessment metric(s) in the mannerdescribed below so they may be presented in a dashboard as shown inFIGS. 1B, 1C and 1D, or a similar manner thereto. The migration explorer152 may operate to allow the user to explore compliance assessmentmetric(s) in current and/or target regions in the manner described aboveso they may be presented in a dashboard like those depicted in FIGS. 1Cand 1D, or a similar manner thereto. The compliance assistor 154 mayoperate to allow the user to investigate ways to improve complianceassessment metric(s) in the manner described and presented in FIG. 1F,or a similar manner thereto. The optional migrator 156 may operate toallow the user to understand and assist with the acts required tomigrate from a current region to a target region in the manner describedabove and depicted in FIG. 1E, or a similar manner thereto. This mayinclude any gating of the ability to migrate and/or requirement foracceptance of the risk as described above and below.

The other organization instance(s) 122 may have similar types ofinformation as organization instance 122A. To provide an example, theorganization instance 122A may have been created by the customer 130C,and be storing data pertaining to one or more of the customers 160A-K.The organization instance 122M may have been created by the customer130A.

As should be evident to the reader, FIG. 1G illustrates that variousarrangements of customer to organization instance are possible, as wellas scenarios pertaining to the geographic region(s) in which differentones of the customers 130 and/or the customers 160 are located. Forinstance, while the organization instance 122A of the customer 130C islocated in the geographic region 102A, the customers 160A-K may all bein the geographic region 102A but the customer 130C may be in adifferent geographic region. As another example, while the organizationinstance 122A of the customer 130C is located in the geographic region102A, the customer 130C may be in the geographic region 102A but thecustomers 160A-K may all be in a different geographic region. As yetanother example, while the organization instance 122A of the customer130C is located in the geographic region 102A, the customer 130C andsome of the customers 160A-K may be in the geographic region 102A, butothers of the customers 160A-K may be in a different geographic region.As yet another example, while the organization instance 122A of thecustomer 130C is located in the geographic region 102A, the customer130C and the customers 160A-K may be in one or more other geographicregions. As a final example, the organization instance 122A of thecustomer 130C, the customer 130C, and the customers 160A-K may all bethe geographic region 102A.

FIG. 1H is a block diagram illustrating components according to someimplementations. FIG. 1H shows the same geographic region 102A, but alsoa second geographic region 120J with similar components and a dashedline reflecting the possibility of the organization instance 122Amigrating to geographic region 102J. FIG. 1H has datacenter 113J.A-J.Sin place of datacenter 113A.A-A.R in Figure G. As shown in FIG. 1H, insome implementations the cloud-based software provider instance(s)112A.A are different instances of the same or similar software. Also,figure H shows that one or more of these instances may be on the samedatacenter, different ones of these instances may be on differentdatacenters, and/or different ones of these instances may be ondifferent datacenters in different geographic regions.

FIG. 1H illustrates that at least some implementations are capable ofproviding the data policy compliance service to provide a complianceassessment metric(s) from the customer data layer all the way throughthe hardware layer. More specifically, FIG. 1H shows that the datacenteroperators’ coverage 111 includes the operation of the datacenterhardware layer 110. In contrast, FIG. 1H shows that the cloud-basedsoftware provider’s data policy coverage 121 may include both thedatacenter customer layer 120 and the datacenter hardware layer 110. Thecloud-based software provider can provide the data policy complianceservice 134 to customers so they can use the service to understand andconfigure their data security and/or data privacy in a manner thataddress the stack the includes both the datacenter customer layer 120and the datacenter hardware layer 110. As such, in some implementations,the cloud-based software provider through the data policy complianceservice 134 can ensure and/or enable its customer to ensure that thedatacenter customer layer 120 and the datacenter hardware layer 110 areproperly configured, including configuring the datacenter hardware layer110 such that it complies. This is true whether the a given datacenteris a first party datacenter of the cloud-based software provider, or ifthe datacenter is a third-party datacenter (the public cloud).

Determination and Application of the Compliance Assessment Metric(s)According to Some Implementations

As described above, some implementations provide the combined complianceassessment metric in a 3-state (aka tier) format, using red, yellow, orgreen. In some implementations the colors are based on a binaryassessment of whether the org is or is not in compliance with theapplicable country-, industry-, and company-level compliance policies.

If an org is not in compliance with any of the set of compliancepolicies, some implementations will provide recommendations on how toresolve the issue. In addition, some implementations will provide thecustomer the option to dismiss the issue, if resolving the issue is notrequired (at company discretion).

Table 1 below shows the color result (that is, the tier) chosen for anumber of scenarios, based on whether some implementations assess theorg (aka organization instance) is (i.e., “yes”) or is not (i.e., “no”)in compliance with applicable types of policies.

Scenario Country Industry Company Assessment Color 1 Yes Yes Yes = Green2 Yes Yes No = Yellow 3 Yes No No = Red 4 Yes No Yes = Red 5 No No No =Red 6 No No Yes = Red 7 No Yes Yes = Red 8 No Yes No = Red

Creating the Compliance Assessment Metric According to SomeImplementations

The binary decision for compliance with the country, industry, orcompany level policies is based on whether the org has applied (shownthrough automated inspection of the org) or resolved (shown by manualconfirmation by user) all the applicable compliance line itemsassociated with a given compliance area. In some implementations, eachorg has such a rule set (see above-described rules to manage personaldata 124 and “the rules the customer has enabled to govern personaldata”) and there is an engine capable to one or both of automaticallycompare the rule set against the policies or provide a user theopportunity to manually input an indication of compliance. To accomplishthe assessment (in an automated way), implementations determine whetherthe org has enabled certain data privacy/governance capabilities (theabove-described rule set) and attempt to align them with the policies.

Note: any regulations which require end user consent for data use willbe evaluated on two levels. First, some implementations will attempt toautomate inspection of applicable products for the presence of thesepolicies. Second, a manual confirmation will be used by someimplementations to address any products/use cases not covered byautomated processing.

Country-Level / Region-Level Data Policies

Country-level / Region-level data policies are those which derive fromthe regulatory authorities of a given geography. These policies aredistinctive due to their applicability to companies independent of theirindustry. CCPA is an example of a data policy at this level. For a givencountry hosting location, some implementations will surface theapplicable compliance policies which should apply to the org.

-   Where applicable, some implementations will automatically evaluate    the customer org based on its compliance with the specific    regulations.-   In all other cases, some implementations will request confirmation    that the org is in compliance with specific regulations.

Result: If all line items are checked as complete, then green. Else red.

Industry-Level Data Policies

Industry-level data policies are those which derive from a specificindustry regulatory authority within a specific geography. Thesepolicies are distinct due to their applicability exclusively to thosecompanies which operate in a specific industry, like health care,financial services, or insurance. HIPAA is an example of such a datapolicy. For a given industry (within a given country hosting location),some implementations will surface the applicable compliance policieswhich should apply to the org.

-   Where applicable, some implementations will automatically evaluate    the customer org based on its compliance with the specific    regulations.-   In all other cases, some implementations will request confirmation    that the org is in compliance with specific regulations.

Result: If all line items are checked as complete, then green. Else red.

Company-Level Data Policies

Company-level data policies are those which are implemented in a givenorg based on the specific data policies a company intends to follow.Given the self-imposed nature of these policies, violations of thesepolicies are treated in a manner distinct from those created by region-,country-, or industry-level regulators. After implementation of specificcompany-level data policies in a given org, some implementations willsurface the applicable compliance policies which should apply to thecustomer org.

-   Where applicable, some implementations will automatically evaluate    the customer org based on its compliance with the specific policies.-   In all other cases, some implementations will request confirmation    that the org is in compliance with specific policies.

Result: If all line items are checked as complete, then green. Else red.

Compliance Assessment Metric Gating Org Migration According to SomeImplementations

There are many reasons a company may migrate its org data from onehosting location to another. To aid this migration process of movingdata from a source region to a target region, some implementationsrequire all applicable country- and industry-level compliance line itemsto be resolved in the target region before initiating the migrationprocess. On the explore page, potential regions will be evaluated usingthe compliance assessment metric for suitability for an org migration.

-   If the region has a compliance assessment metric of yellow or green,    the customer can elect to migrate their org data.-   If the region has a compliance assessment metric of red, the    customer must resolve specific country- or industry-level compliance    line items before an org migration is available to that region.

Result: the customer completes all the required compliance paperworkbefore initiating the org migration process, thereby streamlining theoverall process

Exemplary Flow to Generate Compliance Assessment Metrics According toSome Implementations

FIG. 2B is a flow diagram for generating compliance assessment metricsaccording to some implementations. The flow of FIG. 2B can be triggeredby one or more types of triggers, including the generation of adashboard, a need to update a compliance assessment metric,periodically, etc. Block 250 states “determine a set of one or morecompliance assessment metrics.” Control flows to block 280.

Since implementations may implement block 250 differently, the blocksinside are dashed. For instance, in an implementation that generates asingle compliance assessment metric, the blocks inside block 260 may notbe performed. At a first level, block 260 states “Determine a subset ofone or more compliance assessment metrics based on policies of a set ofone or more types” and block 270 states “combine the complianceassessment metrics in the subset of compliance assessment metrics toform a combined compliance assessment metric.”

Blocks 260 and 270 may be performed differently by differentimplementations. In some implementations that do so in the or a similarmanner as the technique described above, the following is performed: 1)block 260 includes blocks 262, 264, and 266 which respectively statedetermine a first, second, and third compliance assessment metric basedon policies of a first, second, and third types; and 2) block 270includes blocks 272, 274, and 276 which respectively set the combinedcompliance assessment metric respectively to a first, second, and thirdtier based the states of the first, second, and third complianceassessment metrics. In the context of the prior description: 1) thefirst, second, and third compliance metrics may be respectively based onthe region, industry, and company policy types; 2) the first and secondstates may respectively be compliant or not compliant; and 3) the first,second, and third tiers may respectively indicate ready to go, proceedwith caution, and not compliant based on the logic in Table 1.

Block 280 states “cause the display of at least one of the set ofcompliance assessment metrics in a dashboard.” FIGS. 1B and 1D areexamples of tiles of dashboards including indications of all four of thecompliance assessment metrics. FIG. 1C is an example of a tile of adashboard including indications of only the combined complianceassessment metric for each of a number of regions. Control flows tooptional block 290.

Block 290 states “gate the ability to migrate an organization instancebased on at least one the set of compliance assessment metrics.” Block290 may be performed differently by different implementations. In someimplementations that do so in the same or a similar manner as thetechnique described above, the following is performed: 1) block 292states “when the combined compliance assessment metric is set to a firsttier, cause the migration responsive to the user indicating to migrate;”2) block 294 states “when the combined compliance assessment metric isset to a second tier, cause the migration responsive to the userindicating to migrate only if the user has affirmed acceptance of therisk of the migration;” and 3) block 296 states “when the combinedcompliance assessment metric is set to a third tier, do not allow themigration.” In the context of the prior description: 1) the first,second, and third tiers may respectively indicate ready to go, proceedwith caution, and not compliant; and 2) the gating is based on the logicdescribed above.

Updating Compliance Assessment Metric(s)

As described above, one or more of the compliance assessment metrics maychange based on changes to any of the policies and/or changes to therules the customer has enabled to govern personal data. For instance, acustomer may use a cloud-based provider instance to edit the rules tomanage personal data and/or the company policies in their organizationinstance, and thus necessitate a change in the compliance assessmentmetric(s). Additionally or alternatively, a customer may startcollecting different personal data in their organization instance, andthus necessitate a change in the compliance assessment metric(s).Additionally or alternatively, the cloud-based software provider mayedit, or optionally enable customers to propose edits, to the industrypolicies and/or the region policies, and thus necessitate a change inthe compliance assessment metric(s).

Dashboards According to Some Implementations

A dashboard is typically a collection of boxes (often rectangular andreferred to as tiles or panels) that often fits on a single webpage orapplication window (also called a canvas) and that is for display to auser through a user device. Typically, a given dashboard is for displayto many users through multiple user devices. Each box of a dashboardcontains a content element (e.g., a chart, a graph, an image, aspreadsheet, a pivot table, a list, a table, a widget; some of which aresometimes referred to as a “view” or a “visual”) which represents or isbased on data from a data set. A dashboard and/or one, more, or all ofthe boxes may include a “menu bar” or other type of display item thatallows the user to interact with the dashboard and/or the boxes. A dataset is a collection of data used to create a content element. A data setmay include (filtered and/or unfiltered) data from a single data sourceor from multiple data sources (e.g., one or more tables from an Excelworkbook, one or more databases, a website, software services (e.g.,Salesforce), etc.).

While in some implementations the user interface providing the dashboardis such that the available dashboards are relatively fixed, in otherimplementations the user interface allows users to create and editdashboards, and share them with other users. Existing user interfaces(sometimes referred to as business intelligence (BI) tools) allow forthis. The ability to create and/or edit dashboards is sometimes referredto as self-service or user-customizable dashboards. This ability enablesdata discovery. Data discovery is a user-driven process of collating,visualizing, exploring, and analyzing a data set, including searchingfor patterns or specific items in a data set. Data discoveryapplications often use visual tools (e.g., maps, pivot-tables) to makethe process of finding patterns or specific items rapid and intuitive.Data discovery may leverage statistical and data mining techniques toaccomplish these goals.

Data Privacy (e.g., GDPR)

Computing environments may manage data related to multiple entities(e.g., people, groups, companies, positions, archives) and need toprovide privacy and data governance functionality. Such computingenvironments may store for each entity multiple database objects and/orrecords, each of which can have associated privacy and data governancecharacteristics and parameters. For example, in a small office setting,an employee may have: 1) an employee profile managed by the humanresources department; and 2) an individual contact entry in a sharedcontacts database/app/tool. Each of these objects and/or records mayhave different associated permissions, uses, privacy requirements,access rights, etc.

Data classifications (referred to above as data sensitivity levels) maybe associated with fields of database objects and used to determine datapermissions, data uses, privacy requirements, access rights, datagovernance, etc. For example, data classifications may include one ormore of: 1) Public (e.g., data meant to be viewed, but not altered, bythe public); 2) Internal (e.g., data meant to be viewed/used by all atan organization that owns the data and/or contractors thereof, andpotentially shared with customers, partners, and others under anon-disclosure agreement (NDA)); 3) Confidential (e.g., data meant to beused by a defined subset of the organization that owns the data and/orcontractors thereof, and potentially shared with customers, partners,and others under a non-disclosure agreement (NDA) on an as-needed basis,but is not protected by law or regulation); 4) Restricted (e.g., datameant to be used by a smaller, defined subset of the organization and/orits contractors and is likely protected by law, regulation, and/or NDA);and/or 5) Mission Critical (e.g., data meant to be used by an evensmaller, defined subset of employees/owners, as well as previouslyapproved contractors or third parties subject to heightened contractualrequirements, and is almost always protected by law, regulation, and/orNDA).

Example Electronic Devices and Environments Electronic Device andMachine-Readable Media

A “reference” refers to data useable to locate other data and may beimplemented a variety of ways (e.g., a pointer, an index, a handle, akey, an identifier, etc.).

Receipt of data by the system may occur differently in differentimplementations (e.g., it may be pushed to the system (often referred toas a push model), pulled by the system (often referred to as a pullmodel), etc.).

One or more parts of the above implementations may include software.Software is a general term whose meaning can range from part of the codeand/or metadata of a single computer program to the entirety of multipleprograms. A computer program (also referred to as a program) comprisescode and optionally data. Code (sometimes referred to as computerprogram code or program code) comprises software instructions (alsoreferred to as instructions). Instructions may be executed by hardwareto perform operations. Executing software includes executing code, whichincludes executing instructions. The execution of a program to perform atask involves executing some or all of the instructions in that program.

An electronic device (also referred to as a device, computing device,computer, etc.) includes hardware and software. For example, anelectronic device may include a set of one or more processors coupled toone or more machine-readable storage media (e.g., non-volatile memorysuch as magnetic disks, optical disks, read only memory (ROM), Flashmemory, phase change memory, solid state drives (SSDs)) to store codeand optionally data. For instance, an electronic device may includenon-volatile memory (with slower read/write times) and volatile memory(e.g., dynamic random-access memory (DRAM), static random-access memory(SRAM)). Non-volatile memory persists code/data even when the electronicdevice is turned off or when power is otherwise removed, and theelectronic device copies that part of the code that is to be executed bythe set of processors of that electronic device from the non-volatilememory into the volatile memory of that electronic device duringoperation because volatile memory typically has faster read/write times.As another example, an electronic device may include a non-volatilememory (e.g., phase change memory) that persists code/data when theelectronic device has power removed, and that has sufficiently fastread/write times such that, rather than copying the part of the code tobe executed into volatile memory, the code/data may be provided directlyto the set of processors (e.g., loaded into a cache of the set ofprocessors). In other words, this non-volatile memory operates as bothlong term storage and main memory, and thus the electronic device mayhave no or only a small amount of volatile memory for main memory.

In addition to storing code and/or data on machine-readable storagemedia, typical electronic devices can transmit and/or receive codeand/or data over one or more machine-readable transmission media (alsocalled a carrier) (e.g., electrical, optical, radio, acoustical or otherforms of propagated signals - such as carrier waves, and/or infraredsignals). For instance, typical electronic devices also include a set ofone or more physical network interface(s) to establish networkconnections (to transmit and/or receive code and/or data usingpropagated signals) with other electronic devices. Thus, an electronicdevice may store and transmit (internally and/or with other electronicdevices over a network) code and/or data with one or moremachine-readable media (also referred to as computer-readable media).

Software instructions (also referred to as instructions) are capable ofcausing (also referred to as operable to cause and configurable tocause) a set of processors to perform operations when the instructionsare executed by the set of processors. The phrase “capable of causing”(and synonyms mentioned above) includes various scenarios (orcombinations thereof), such as instructions that are always executedversus instructions that may be executed. For example, instructions maybe executed: 1) only in certain situations when the larger program isexecuted (e.g., a condition is fulfilled in the larger program; an eventoccurs such as a software or hardware interrupt, user input (e.g., akeystroke, a mouse-click, a voice command); a message is published,etc.); or 2) when the instructions are called by another program or partthereof (whether or not executed in the same or a different process,thread, lightweight thread, etc.). These scenarios may or may notrequire that a larger program, of which the instructions are a part, becurrently configured to use those instructions (e.g., may or may notrequire that a user enables a feature, the feature or instructions beunlocked or enabled, the larger program is configured using data and theprogram’s inherent functionality, etc.). As shown by these exemplaryscenarios, “capable of causing” (and synonyms mentioned above) does notrequire “causing” but the mere capability to cause. While the term“instructions” may be used to refer to the instructions that whenexecuted cause the performance of the operations described herein, theterm may or may not also refer to other instructions that a program mayinclude. Thus, instructions, code, program, and software are capable ofcausing operations when executed, whether the operations are alwaysperformed or sometimes performed (e.g., in the scenarios describedpreviously). The phrase “the instructions when executed” refers to atleast the instructions that when executed cause the performance of theoperations described herein but may or may not refer to the execution ofthe other instructions.

Electronic devices are designed for and/or used for a variety ofpurposes, and different terms may reflect those purposes (e.g., userdevices, network devices). Some user devices are designed to mainly beoperated as servers (sometimes referred to as server devices), whileothers are designed to mainly be operated as clients (sometimes referredto as client devices, client computing devices, client computers, or enduser devices; examples of which include desktops, workstations, laptops,personal digital assistants, smartphones, wearables, augmented reality(AR) devices, virtual reality (VR) devices, mixed reality (MR) devices,etc.). The software executed to operate a user device (typically aserver device) as a server may be referred to as server software orserver code), while the software executed to operate a user device(typically a client device) as a client may be referred to as clientsoftware or client code. A server provides one or more services (alsoreferred to as serves) to one or more clients.

The term “user” refers to an entity (e.g., an individual person) thatuses an electronic device. Software and/or services may use credentialsto distinguish different accounts associated with the same and/ordifferent users. Users can have one or more roles, such asadministrator, programmer/developer, and end user roles. As anadministrator, a user typically uses electronic devices to administerthem for other users, and thus an administrator often works directlyand/or indirectly with server devices and client devices.

FIG. 3A is a block diagram illustrating an electronic device 300according to some example implementations. FIG. 3A includes hardware 320comprising a set of one or more processor(s) 322, a set of one or morenetwork interfaces 324 (wireless and/or wired), and machine-readablemedia 326 having stored therein software 328 (which includesinstructions executable by the set of one or more processor(s) 322). Themachine-readable media 326 may include non-transitory and/or transitorymachine-readable media. Each of the previously described clients and thedata policy compliance service may be implemented in one or moreelectronic devices 300. In one implementation: 1) each of the clients isimplemented in a separate one of the electronic devices 300 (e.g., inend user devices where the software 328 represents the software toimplement clients to interface directly and/or indirectly with the datapolicy compliance service (e.g., software 328 represents a web browser,a native client, a portal, a command-line interface, and/or anapplication programming interface (API) based upon protocols such asSimple Object Access Protocol (SOAP), Representational State Transfer(REST), etc.)); 2) the data policy compliance service is implemented ina separate set of one or more of the electronic devices 300 (e.g., a setof one or more server devices where the software 328 represents thesoftware to implement the data policy compliance service); and 3) inoperation, the electronic devices implementing the clients and the datapolicy compliance service would be communicatively coupled (e.g., by anetwork) and would establish between them (or through one or more otherlayers and/or or other services) connections for submitting requests tothe data policy compliance service and returning results/data to theclients. Other configurations of electronic devices may be used in otherimplementations (e.g., an implementation in which the client and thedata policy compliance service are implemented on a single one ofelectronic device 300).

During operation, an instance of the software 328 (illustrated asinstance 306 and referred to as a software instance; and in the morespecific case of an application, as an application instance) isexecuted. In electronic devices that use compute virtualization, the setof one or more processor(s) 322 typically execute software toinstantiate a virtualization layer 308 and one or more softwarecontainer(s) 304A-304R (e.g., with operating system-levelvirtualization, the virtualization layer 308 may represent a containerengine (such as Docker Engine by Docker, Inc. or rkt in Container Linuxby Red Hat, Inc.) running on top of (or integrated into) an operatingsystem, and it allows for the creation of multiple software containers304A-304R (representing separate user space instances and also calledvirtualization engines, virtual private servers, or jails) that may eachbe used to execute a set of one or more applications; with fullvirtualization, the virtualization layer 308 represents a hypervisor(sometimes referred to as a virtual machine monitor (VMM)) or ahypervisor executing on top of a host operating system, and the softwarecontainers 304A-304R each represent a tightly isolated form of asoftware container called a virtual machine that is run by thehypervisor and may include a guest operating system; withpara-virtualization, an operating system and/or application running witha virtual machine may be aware of the presence of virtualization foroptimization purposes). Again, in electronic devices where computevirtualization is used, during operation, an instance of the software328 is executed within the software container 304A on the virtualizationlayer 308. In electronic devices where compute virtualization is notused, the instance 306 on top of a host operating system is executed onthe “bare metal” electronic device 300. The instantiation of theinstance 306, as well as the virtualization layer 308 and softwarecontainers 304A-304R if implemented, are collectively referred to assoftware instance(s) 302.

Alternative implementations of an electronic device may have numerousvariations from that described above. For example, customized hardwareand/or accelerators might also be used in an electronic device.

Example Environment

FIG. 3B is a block diagram of a deployment environment according to someexample implementations. A system 340 includes hardware (e.g., a set ofone or more server devices) and software to provide service(s) 342,including the data policy compliance service. In some implementationsthe system 340 is in one or more datacenter(s). These datacenter(s) maybe: 1) first party datacenter(s), which are datacenter(s) owned and/oroperated by the same entity that provides and/or operates some or all ofthe software that provides the service(s) 342; and/or 2) third-partydatacenter(s), which are datacenter(s) owned and/or operated by one ormore different entities than the entity that provides the service(s) 342(e.g., the different entities may host some or all of the softwareprovided and/or operated by the entity that provides the service(s)342). For example, third-party datacenters may be owned and/or operatedby entities providing public cloud services (e.g., Amazon.com, Inc.(Amazon Web Services), Google LLC (Google Cloud Platform), MicrosoftCorporation (Azure)).

The system 340 is coupled to user devices 380A-380S over a network 382.The service(s) 342 may be on-demand services that are made available toone or more of the users 384A-384S working for one or more entitiesother than the entity which owns and/or operates the on-demand services(those users sometimes referred to as outside users) so that thoseentities need not be concerned with building and/or maintaining asystem, but instead may make use of the service(s) 342 when needed(e.g., when needed by the users 384A-384S). The service(s) 342 maycommunicate with each other and/or with one or more of the user devices380A-380S via one or more APIs (e.g., a REST API). In someimplementations, the user devices 380A-380S are operated by users384A-384S, and each may be operated as a client device and/or a serverdevice. In some implementations, one or more of the user devices380A-380S are separate ones of the electronic device 300 or include oneor more features of the electronic device 300.

In some implementations, the system 340 is a multi-tenant system (alsoknown as a multi-tenant architecture). The term multi-tenant systemrefers to a system in which various elements of hardware and/or softwareof the system may be shared by one or more tenants. A multi-tenantsystem may be operated by a first entity (sometimes referred to amulti-tenant system provider, operator, or vendor; or simply a provider,operator, or vendor) that provides one or more services to the tenants(in which case the tenants are customers of the operator and sometimesreferred to as operator customers). A tenant includes a group of userswho share a common access with specific privileges. The tenants may bedifferent entities (e.g., different companies, differentdepartments/divisions of a company, and/or other types of entities), andsome or all of these entities may be vendors that sell or otherwiseprovide products and/or services to their customers (sometimes referredto as tenant customers). A multi-tenant system may allow each tenant toinput tenant specific data for user management, tenant-specificfunctionality, configuration, customizations, non-functional properties,associated applications, etc. This input information is one of theabove-described organization instances. A tenant may have one or moreroles relative to a system and/or service. For example, in the contextof a customer relationship management (CRM) system or service, a tenantmay be a vendor using the CRM system or service to manage informationthe tenant has regarding one or more customers of the vendor. As anotherexample, in the context of Data as a Service (DAAS), one set of tenantsmay be vendors providing data and another set of tenants may becustomers of different ones or all of the vendors’ data. As anotherexample, in the context of Platform as a Service (PAAS), one set oftenants may be third-party application developers providingapplications/services and another set of tenants may be customers ofdifferent ones or all of the third-party application developers.

Multi-tenancy can be implemented in different ways. In someimplementations, a multi-tenant architecture may include a singlesoftware instance (e.g., a single database instance) which is shared bymultiple tenants; other implementations may include a single softwareinstance (e.g., database instance) per tenant; yet other implementationsmay include a mixed model; e.g., a single software instance (e.g., anapplication instance) per tenant and another software instance (e.g.,database instance) shared by multiple tenants.

In one implementation, the system 340 is a multi-tenant cloud computingarchitecture supporting multiple services, such as one or more of thefollowing types of services: a data policy compliance service 342;Customer relationship management (CRM); Configure, price, quote (CPQ);Business process modeling (BPM); Customer support; Marketing; Externaldata connectivity; Productivity; Database-as-a-Service;Data-as-a-Service (DAAS or DaaS); Platform-as-a-service (PAAS or PaaS);Infrastructure-as-a-Service (IAAS or IaaS) (e.g., virtual machines,servers, and/or storage); Analytics; Community; Internet-of-Things(IoT); Industry-specific; Artificial intelligence (AI); Applicationmarketplace (“app store”); Data modeling; Security; and Identity andaccess management (IAM).

For example, system 340 may include an application platform 344 thatenables PAAS for creating, managing, and executing one or moreapplications developed by the provider of the application platform 344,users accessing the system 340 via one or more of user devices380A-380S, or third-party application developers accessing the system340 via one or more of user devices 380A-380S.

In some implementations, one or more of the service(s) 342 may use oneor more multi-tenant databases 346, as well as system data storage 350for system data 352 accessible to system 340. In certainimplementations, the system 340 includes a set of one or more serversthat are running on server electronic devices and that are configured tohandle requests for any authorized user associated with any tenant(there is no server affinity for a user and/or tenant to a specificserver). The user devices 380A-380S communicate with the server(s) ofsystem 340 to request and update tenant-level data and system-level datahosted by system 340, and in response the system 340 (e.g., one or moreservers in system 340) automatically may generate one or more StructuredQuery Language (SQL) statements (e.g., one or more SQL queries) that aredesigned to access the desired information from the multi-tenantdatabase(s) 346 and/or system data storage 350.

In some implementations, the service(s) 342 are implemented usingvirtual applications dynamically created at run time responsive toqueries from the user devices 380A-380S and in accordance with metadata,including: 1) metadata that describes constructs (e.g., forms, reports,workflows, user access privileges, business logic) that are common tomultiple tenants; and/or 2) metadata that is tenant specific anddescribes tenant specific constructs (e.g., tables, reports, dashboards,interfaces, etc.) and is stored in a multi-tenant database. To that end,the program code 360 may be a runtime engine that materializesapplication data from the metadata; that is, there is a clear separationof the compiled runtime engine (also known as the system kernel), tenantdata, and the metadata, which makes it possible to independently updatethe system kernel and tenant-specific applications and schemas, withvirtually no risk of one affecting the others. Further, in oneimplementation, the application platform 344 includes an applicationsetup mechanism that supports application developers’ creation andmanagement of applications, which may be saved as metadata by saveroutines. Invocations to such applications, including the data policycompliance service, may be coded using Procedural Language/StructuredObject Query Language (PL/SOQL) that provides a programming languagestyle interface. Invocations to applications may be detected by one ormore system processes, which manages retrieving application metadata forthe tenant making the invocation and executing the metadata as anapplication in a software container (e.g., a virtual machine).

Network 382 may be any one or any combination of a LAN (local areanetwork), WAN (wide area network), telephone network, wireless network,point-to-point network, star network, token ring network, hub network,or other appropriate configuration. The network may comply with one ormore network protocols, including an Institute of Electrical andElectronics Engineers (IEEE) protocol, a 3rd Generation PartnershipProject (3GPP) protocol, a 4^(th) generation wireless protocol (4G)(e.g., the Long Term Evolution (LTE) standard, LTE Advanced, LTEAdvanced Pro), a fifth generation wireless protocol (5G), and/or similarwired and/or wireless protocols, and may include one or moreintermediary devices for routing data between the system 340 and theuser devices 380A-380S.

Each user device 380A-380S (such as a desktop personal computer,workstation, laptop, Personal Digital Assistant (PDA), smart phone,augmented reality (AR) devices, virtual reality (VR) devices, etc.)typically includes one or more user interface devices, such as akeyboard, a mouse, a trackball, a touch pad, a touch screen, a pen orthe like, video or touch free user interfaces, for interacting with agraphical user interface (GUI) provided on a display (e.g., a monitorscreen, a liquid crystal display (LCD), a head-up display, ahead-mounted display, etc.) in conjunction with pages, forms,applications and other information provided by system 340. For example,the user interface device can be used to access data and applicationshosted by system 340, and to perform searches on stored data, andotherwise allow one or more of users 384A-384S to interact with variousGUI pages that may be presented to the one or more of users 384A-384S.User devices 380A-380S might communicate with system 340 using TCP/IP(Transfer Control Protocol and Internet Protocol) and, at a highernetwork level, use other networking protocols to communicate, such asHypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), AndrewFile System (AFS), Wireless Application Protocol (WAP), Network FileSystem (NFS), an application program interface (API) based uponprotocols such as Simple Object Access Protocol (SOAP), RepresentationalState Transfer (REST), etc. In an example where HTTP is used, one ormore user devices 380A-380S might include an HTTP client, commonlyreferred to as a “browser,” for sending and receiving HTTP messages toand from server(s) of system 340, thus allowing users 384A-384S of theuser devices 380A-380S to access, process and view information, pagesand applications available to it from system 340 over network 382.

Conclusion

In the above description, numerous specific details such as resourcepartitioning/sharing/duplication implementations, types andinterrelationships of system components, and logicpartitioning/integration choices are set forth in order to provide amore thorough understanding. The invention may be practiced without suchspecific details, however. In other instances, control structures, logicimplementations, opcodes, means to specify operands, and full softwareinstruction sequences have not been shown in detail since those ofordinary skill in the art, with the included descriptions, will be ableto implement what is described without undue experimentation.

References in the specification to “one implementation,” “animplementation,” “an example implementation,” etc., indicate that theimplementation described may include a particular feature, structure, orcharacteristic, but every implementation may not necessarily include theparticular feature, structure, or characteristic. Moreover, such phrasesare not necessarily referring to the same implementation. Further, whena particular feature, structure, and/or characteristic is described inconnection with an implementation, one skilled in the art would know toaffect such feature, structure, and/or characteristic in connection withother implementations whether or not explicitly described.

For example, the figure(s) illustrating flow diagrams sometimes refer tothe figure(s) illustrating block diagrams, and vice versa. Whether ornot explicitly described, the alternative implementations discussed withreference to the figure(s) illustrating block diagrams also apply to theimplementations discussed with reference to the figure(s) illustratingflow diagrams, and vice versa. At the same time, the scope of thisdescription includes implementations, other than those discussed withreference to the block diagrams, for performing the flow diagrams, andvice versa.

Bracketed text and blocks with dashed borders (e.g., large dashes, smalldashes, dot-dash, and dots) may be used herein to illustrate optionaloperations and/or structures that add additional features to someimplementations. However, such notation should not be taken to mean thatthese are the only options or optional operations, and/or that blockswith solid borders are not optional in certain implementations.

The detailed description and claims may use the term “coupled,” alongwith its derivatives. “Coupled” is used to indicate that two or moreelements, which may or may not be in direct physical or electricalcontact with each other, co-operate or interact with each other.

While the flow diagrams in the figures show a particular order ofoperations performed by certain implementations, such order is exemplaryand not limiting (e.g., alternative implementations may perform theoperations in a different order, combine certain operations, performcertain operations in parallel, overlap performance of certainoperations such that they are partially in parallel, etc.).

While the above description includes several example implementations,the invention is not limited to the implementations described and can bepracticed with modification and alteration within the spirit and scopeof the appended claims. The description is thus illustrative instead oflimiting.

What is claimed is:
 1. An article of manufacture comprising: anon-transitory machine-readable storage medium that providesinstructions that, if executed by a set of one or more processors, areconfigurable to cause the set of processors to perform operationscomprising, combining compliance assessment metrics in a subset of twoor more compliance assessment metrics to form a combined complianceassessment metric, wherein each compliance assessment metric in thesubset reflects a level of compliance of a set of rules with a differenttype of data privacy and/or data security laws, regulations, and/orpolicy, wherein the set of rules are to manage personal data in anorganization instance of a customer of a cloud-based software providercapable of hosting the organization instance in one or more datacentersin a plurality of different geographic regions; gating an ability tomove data from the organization instance from a first geographic regionof the plurality of different geographic regions to a second geographicregion of the plurality of different geographic regions based on thecombined compliance assessment metric; and displaying at least thecombined compliance assessment metric as part of a data policycompliance service provided by the cloud-based software provider.
 2. Thearticle of manufacture of claim 1, wherein a first compliance assessmentmetric in the subset reflects the level of compliance of the set ofrules with data privacy and/or data security laws, regulations, and/orpolicy of one of the plurality of different geographic regions, whereina second compliance assessment metric in the subset reflects the levelof compliance of the set of rules with data privacy and/or data securitylaws, regulations, and/or policy of an industry of the customer.
 3. Thearticle of manufacture of claim 2, wherein a third compliance assessmentmetric in the subset reflects the level of compliance of the set ofrules with a company policy of the customer relative to data privacyand/or data security laws, regulations, and/or policy of the one of theplurality of geographic regions and/or the industry of the customer. 4.The article of manufacture of claim 1, wherein the operations alsocomprise: determining the subset of two or more compliance assessmentmetrics, the determining including: determining a first complianceassessment metric that reflects the level of compliance of the set ofrules with a first type of data privacy and/or data security laws,regulations, and/or policy; and determining a second complianceassessment metric that reflects the level of compliance of the set ofrules with a second type of data privacy and/or data security laws,regulations, and/or policy.
 5. The article of manufacture of claim 1,wherein the data from the organization instance includes data, metadata,and/or configuration of the customer hosted within a service of thecloud-based software provider.
 6. The article of manufacture of claim 1,wherein the data policy compliance service allows the customer of thecloud-based software provider to choose in which of a plurality ofgeographic regions data of the customer will be at least one of hostedand processed.
 7. The article of manufacture of claim 1, wherein thedisplaying further comprises: responsive to user input, displayinginformation regarding a plurality of geographic regions.
 8. The articleof manufacture of claim 1, wherein the displaying further comprises:responsive to user interaction, displaying a set of acts to be performedbefore moving data from the organization instance to another geographicregion.
 9. The article of manufacture of claim 1, wherein cloud servicesprovided by the cloud-based software provider include one or more ofSoftware-as-a-Service (SaaS), Data-as-a-Service (DAAS or DaaS), andPlatform-as-a-service (PAAS or PaaS).
 10. The article of manufacture ofclaim 1, wherein at least one of the datacenters is a third-partydatacenter, and wherein the cloud-based software provider is a customerof an operator of the third-party datacenter.
 11. A computer-implementedmethod comprising: combining compliance assessment metrics in a subsetof two or more compliance assessment metrics to form a combinedcompliance assessment metric, wherein each compliance assessment metricin the subset reflects a level of compliance of a set of rules with adifferent type of data privacy and/or data security laws, regulations,and/or policy, wherein the set of rules are to manage personal data inan organization instance of a customer of a cloud-based softwareprovider capable of hosting the organization instance in one or moredatacenters in a plurality of different geographic regions; gating anability to move data from the organization instance from a firstgeographic region of the plurality of different geographic regions to asecond geographic region of the plurality of different geographicregions based on the combined compliance assessment metric; anddisplaying at least the combined compliance assessment metric as part ofa data policy compliance service provided by the cloud-based softwareprovider.
 12. The computer-implemented method of claim 11, wherein afirst compliance assessment metric in the subset reflects the level ofcompliance of the set of rules with data privacy and/or data securitylaws, regulations, and/or policy of one of the plurality of differentgeographic regions, wherein a second compliance assessment metric in thesubset reflects the level of compliance of the set of rules with dataprivacy and/or data security laws, regulations, and/or policy of anindustry of the customer.
 13. The computer-implemented method of claim12, wherein a third compliance assessment metric in the subset reflectsthe level of compliance of the set of rules with a company policy of thecustomer relative to data privacy and/or data security laws,regulations, and/or policy of the one of the plurality of geographicregions and/or the industry of the customer.
 14. Thecomputer-implemented method of claim 11 further comprising: determiningthe subset of two or more compliance assessment metrics, the determiningincluding: determining a first compliance assessment metric thatreflects the level of compliance of the set of rules with a first typeof data privacy and/or data security laws, regulations, and/or policy;and determining a second compliance assessment metric that reflects thelevel of compliance of the set of rules with a second type of dataprivacy and/or data security laws, regulations, and/or policy.
 15. Thecomputer-implemented method of claim 11, wherein the data from theorganization instance includes data, metadata, and/or configuration ofthe customer hosted within a service of the cloud-based softwareprovider.
 16. The computer-implemented method of claim 11, wherein thedata policy compliance service allows the customer of the cloud-basedsoftware provider to choose in which of a plurality of geographicregions data of the customer will be at least one of hosted andprocessed.
 17. The computer-implemented method of claim 11, thedisplaying further comprising: responsive to user input, displayinginformation regarding a plurality of geographic regions.
 18. Thecomputer-implemented method of claim 11, the displaying furthercomprising: responsive to user interaction, displaying a set of acts tobe performed before moving data from the organization instance toanother geographic region.
 19. The computer-implemented method of claim11, wherein cloud services provided by the cloud-based software providerinclude one or more of Software-as-a-Service (SaaS), Data-as-a-Service(DAAS or DaaS), and Platform-as-a-service (PAAS or PaaS).
 20. Thecomputer-implemented method of claim 11, wherein at least one of thedatacenters is a third-party datacenter, and wherein the cloud-basedsoftware provider is a customer of an operator of the third-partydatacenter.